Question about certificate entity templating in policies

voiprodrigo · March 21, 2022, 1:49am

hi,

I have setup cert auth with a CA. Client machines will authenticate to Vault using their keys, and will have a policy that let each machine write secrets on a path that matches their respective CN. The secrets engine is KV2.

As for the create/update policy path , this works:

/mysecrets/data/{{identity.entity.aliases.auth_cert_f6df50ce.name}}/*

However, this does not work:

/mysecrets/data/{{identity.entity.aliases.auth_cert_f6df50ce.metadata.common_name}}/*

According to the documentation I expected that this would work with .metadata.common_name, instead of .name.

What am I missing?

thanks.

RemcoBuddelmeijer · March 21, 2022, 7:51am

Hey,

There is currently a bug with cert auth where metadata is not written. It can be found over here.
Sadly enough until it’s fixed, cert auth can’t be used.

voiprodrigo · March 23, 2022, 5:23pm

Thanks. Not sure if it’s the same thing though, as I’m actually using it. I cannot write to the path with any certificate which doesn’t match the CN in the path, which is what is supposed to happen. I just want to be sure I understand correctly why it’s working.

Topic		Replies	Views
Path capability includes create, but kv put is denied?! Vault	3	425	December 21, 2020
Templated policy path that maps to LDAP username Vault	4	61	August 30, 2024
TLS Certificate auth method, and policy templates referring to OID extensions Vault	5	1262	January 18, 2021
I need help with PKI templating Vault vault	2	645	June 18, 2023
Policy templates for approles Vault	20	1131	November 4, 2021

Question about certificate entity templating in policies

Related topics